IT Risk Management Report
This Symantec podcast provides a summary of the February 2007 IT Risk Management Report, available for download at: www.symantec.com/riskreport.
More information at:
Host: Editor – PodTech
Hello and welcome to another Enterprise Security podcast brought to you by Symantec. Today’s podcast provides a brief summary of the Symantec IT Risk Management Report. Thank you for listening.
Information Technology Risk is a growing component of total operational risk. As businesses increasingly depend on IT to automate processes and store information, IT Risk Management is emerging as a separate practice. Organizations across sectors and industries have begun to consolidate functions to develop a comprehensive focused approach to IT Risk. IT Risk includes security, availability, performance and compliance elements, each with its own drivers and capacity for harm.
The Symantec IT Risk Management Report examines IT Risk along with the technology and process controls used to mitigate it. In a year-long study based on in-depth structured interviews with more than 500 IT professionals around the world, the study determined the following across industries, regions and job roles, IT professionals rate themselves more effective in their deployments of technology than process controls, they also see management of IT assets and configuration and changed processes as particular problem areas, and finally they people and process improvements as holding the greatest opportunities for them to move good to great.
Data from high-performance organizations yielded surprising and very encouraging result. More effective organizations, even though they often face higher risk levels, expect fewer incidents than less effective organizations. More detailed analysis into the specific controls deployed by these companies reveal that best-in-class organizations perform with high effectiveness across most controls including process controls, while lower performing organizations typically focus on a small number of more tactical controls.
The study also identifies substantial differences in the way IT operational personnel and executives view their IT Risk exposure and examines these in detail. Differing internal viewpoints on IT Risk and poor alignment between IT Risk Management programs and overall business objectives may themselves create risk. This appears to occur when Risk Management programs are not tailored to the specific risk profile of the business or coordinated across functional and business unit lines, leading to areas of both under and over investment.
Poor organizational support for IT Risk awareness and training is both a compelling example of poor alignment and a major cause. Best-in-class IT Risk management requires a disciplined approach that includes IT Risk awareness, quantification of business impacts, solution design, and implementation across people, process, and technology and creation of a sustained IT Risk Management program complete with performance measurement and a model of continuous improvement. The staged program helps balance benefits, risks and cost at every step of implementation.
An organization’s assets, operations and personnel may be brought to harm by internal or external threats carried out or weaknesses exposed to IT networks and systems. Managing IT Risk and service of your organization’s mission is the subject of this report, and the purpose of this series. The report outlines a five-step process to help organizations put consistent, measurable, long-term programs in place, avoiding over and under investment and achieving steady improvements measured against consensus goals.
Managing IT Risk is everyone’s job, from the CIO to the back-up administrator, everyone should share a common understanding of IT Risk their priorities and how they relate to their individual areas of responsibility. IT management must work closely with their business clients to assure those priorities reflect the goals and the objectives of the business as a whole. In combination, internal and business alignment assures appropriate resource allocation and operational efficiencies.
Thank you for downloading and listening to this Enterprise Security podcast brought to by Symantec.
To learn more about IT Risk Management or to download the full IT Risk Management Report, visit us at www.symantec.com/riskreport and for more Symantec podcasts visit us www.symantec.com/podcast. Symantec – confidence in a connected world.